Do You Use WordPress? Watch the “Backdoor!”

WordPress may be one of the world’s most popular content management platforms, but its plugins open up a Backdoor Vulnerability.

WordPress is one of the most popular CMS (Customer Management Software) platforms of all time, and for good reason. The overall ease of use and administration appeals to individuals, bloggers and small businesses. Plus, it’s compatible with tens of thousands of plug-ins to help you perform tasks, transform data, aggregate analytics, grow customer lists, and effectively sell products and services.

With all that WordPress has going for it, the install base is in the millions — making it a prime target for hackers looking to take advantage of widespread vulnerabilities. Unfortunately, that’s exactly what happened when a backdoor into the WordPress administration was found in the Display Widgets plugin.

The Display Widgets plugin is currently installed on over 200,000 WordPress sites across the Internet. Worse, WordPress.org staff members may have known about this for a long time, and they didn’t take immediate action to stop selling it.

WordPress’s Staggering Growth

Did you know that a WordPress post is published every 19 seconds? – And that downloads of the platform were up over 500 percent in the last five years? WordPress now accounts for nearly 50 percent of websites on the Internet!

With hundreds of millions of posts, more than 36,000 WordCamp conference attendees, and installs in nearly 60 countries, WordPress is the “800-pound gorilla” of the Web CMS market.

Self-proclaimed as being the most flexible, customizable, and easy to update CMS on the market today, WordPress has moved beyond hosting blog pages to now powering websites for some of the largest and most exclusive brands in the world (like McAfee, Routers, CNN, NASA, Facebook and more).

Is WordPress Secure?

Sure, the platform is relatively easy to use, but is it secure? This is the question that millions of users are asking themselves after the news broke about the vulnerability in the Display Widgets plugin.

However, if you own a small business, you may not have the time to fully research these security concerns. You just want to know that your blog post is getting published as it should.

The intuitive and user-friendly interface is welcoming, but you must take the time research the vulnerabilities before you decide if WordPress is right for you. The same plugins that let you take advantage of new functionality in WordPress can also be your downfall.

WordPress Vulnerabilities

Security exploits are nothing new for WordPress users, and the WordPress.org team addresses these issues regularly with security releases and patches. However, if you aren’t keeping up with security patches, vulnerabilities can provide unauthorized access to your systems.

Here’s a short list of WordPress security issues and when they occurred:

2007/2008: WordPress servers were compromised leading major technology blogs to “cry wolf.” WordPress created a new and more intuitive update process for ongoing updates.

2009: After discovering a need for overall hardening of the platform, WordPress released a flurry of updates that began a new and more proactive focus on security.

2011 – 2014: Hackers discovered a vulnerability in the Tim Thumb image resizing utility that allowed them to load and execute a PHP code onto WordPress servers. Attacks continued until the code was pulled by the developer.

2013: A large-scale review of top sites through Alexa’s software revealed that nearly 75% of them were vulnerable because they ran older versions of the WordPress platform.

2015: While the world’s largest body of plugins was still vulnerable, security updates were quickly released. Unfortunately, releasing updates doesn’t mean that users will apply them, even with repeated notifications from WordPress. The XSS vulnerability was a major security outbreak, bug fixes were quickly released.

Can We Trust WordPress to Protect Us?

Although the plugin with the backdoor code vulnerabilities was removed from the WordPress store, a question remains: “Why was it added back to the store after the three previous removals for similar issues?”

This happened after the sale of the plugin from the author to a new distributor. It was revealed that the updated plugin was publishing false entries to WordPress sites— These were only visible to logged-out users and didn’t show up in the WordPress admin section. This was in concert with a user-tracking functionality that implicitly went against WordPress’s terms of service, and that sent personal information to a third-party server!

While WordPress continues to be an incredibly popular web CMS platform, it’s important to ensure that all plugins are up to date, and that the WordPress platform itself has been fully patched.

Want to learn more about maintaining a secure presence on the Web? Contact NYNJA at NY (845) 406-6800, NJ (201) 785-7800 or info@nynja.com. Our security professionals will work with you to ensure your content, and site visitors are safe at all times.